Hello misc, I'm having problems with two IPsec tunnels from two different peers behind the same NAT, to the same responder. All hosts are running OpenBSD 4.1, including the NAT:ing gateway. One peer can connect just fine, but when the other tries to establish a tunnel (with a different tunneled network), the first SA is just deleted. The two peers are now continuously "competing". I get a lot of INVALID_COOKIE messages from isakmpd.
It's the same problem as reported in this post: http://archives.neohapsis.com/archives/openbsd/2007-05/0628.html However, the "Shared-SADB" parameter mentioned doesn't have any effect for me. I've sort of tracked this down to a call to sa_delete() in ipsec_handle_leftover_payload() in src/sbin/isakmpd/ipsec.c. This function calls sa_lookup_by_peer() which apparently matches both of my SAs. I disabled the sa_delete() loop and now both of my SAs stay up fine, but I'm not really sure what I've done. Does anyone (developer?) have any thoughts about this? TIA /Martin
